From 87bea46cde4e03dd1c82ed163942679ba8539958 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Mon, 24 Feb 2003 22:36:30 +0000 Subject: [PATCH] * gssapi_krb5.c (kg_get_defcred): Revert previous; it's probably not appropriate for inquire_cred() to cause new credentials to be fetched. * init_sec_context.c (krb5_gss_init_sec_context): Explicitly release default cred in the NO_CREDENTIAL case, so it is always refreshed. ticket: 1305 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15201 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/krb5/ChangeLog | 10 ++++++ src/lib/gssapi/krb5/gssapi_krb5.c | 49 +++++++++----------------- src/lib/gssapi/krb5/init_sec_context.c | 7 ++++ 3 files changed, 34 insertions(+), 32 deletions(-) diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index c2391495a..26afbfa72 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,13 @@ +2003-02-24 Tom Yu + + * gssapi_krb5.c (kg_get_defcred): Revert previous; it's probably + not appropriate for inquire_cred() to cause new credentials to be + fetched. + + * init_sec_context.c (krb5_gss_init_sec_context): Explicitly + release default cred in the NO_CREDENTIAL case, so it is always + refreshed. + 2003-02-21 Tom Yu * gssapi_krb5.c (kg_get_defcred): Check for invalid or expired diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index e015ea04c..db6eabd5d 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -132,46 +132,31 @@ void *kg_vdb = NULL; static gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL; +/* + * init_sec_context() will explicitly re-acquire default credentials, + * so handling the expiration/invalidation condition here isn't needed. + */ OM_uint32 kg_get_defcred(minor_status, cred) OM_uint32 *minor_status; gss_cred_id_t *cred; { - OM_uint32 major; - - *cred = GSS_C_NO_CREDENTIAL; - *minor_status = 0; - - if (defcred != GSS_C_NO_CREDENTIAL) { - /* - * If a default credential exists, ensure that it is valid and - * not expired. - */ - major = krb5_gss_inquire_cred(minor_status, defcred, - NULL, NULL, NULL, NULL); - if (major != GSS_S_CREDENTIALS_EXPIRED) { - if (GSS_ERROR(major)) - *cred = GSS_C_NO_CREDENTIAL; - else - *cred = defcred; - return major; + if (defcred == GSS_C_NO_CREDENTIAL) { + OM_uint32 major; + + if ((major = krb5_gss_acquire_cred(minor_status, + (gss_name_t) NULL, GSS_C_INDEFINITE, + GSS_C_NULL_OID_SET, GSS_C_INITIATE, + &defcred, NULL, NULL)) && + GSS_ERROR(major)) { + defcred = GSS_C_NO_CREDENTIAL; + return(major); } - major = kg_release_defcred(minor_status); - if (GSS_ERROR(major)) - return major; - } - major = krb5_gss_acquire_cred(minor_status, - (gss_name_t) NULL, GSS_C_INDEFINITE, - GSS_C_NULL_OID_SET, GSS_C_INITIATE, - &defcred, NULL, NULL); - if (GSS_ERROR(major)) { - defcred = GSS_C_NO_CREDENTIAL; - } else { - *cred = defcred; - *minor_status = 0; } - return major; + *cred = defcred; + *minor_status = 0; + return(GSS_S_COMPLETE); } OM_uint32 diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 2af8baca6..8877052ba 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -382,6 +382,13 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) { OM_uint32 major; + /* + * Release default cred prior to re-acquiring it, to notice when + * the ccache has changed. + */ + major = kg_release_defcred(minor_status); + if (GSS_ERROR(major)) + return major; if ((major = kg_get_defcred(minor_status, &claimant_cred_handle)) && GSS_ERROR(major)) { return(major); -- 2.26.2